There is an interesting discussion on the PBX-in-a-Flash forums here regarding an Asterisk security announcement.
If you write custom Asterisk contexts outside of FreePBX then you should read through how to do this securely. You should not be using wildcard pattern matching as this could be used to create channels in a manner not intended.
Also raised is the potential of a Asterisk/FreePBX system being compromised via the Asterisk Recording Interface (ARI). This is the web interface that allows you to view and manage voicemails. If you do not use this feature of FreePBX it is strongly recommended that you remove access to it. This can be done simply by running the following command as root on systems with standard configuration –
chmod 000 /var/www/html/recordings
This will prevent the ARI being accessible via a browser.
If you would like more information regarding Asterisk diaplan security please see the following resources –
Last December the IC3 issued an alert for Asterisk users whch can be seen here.
This initially caused a panic amongst the developers as it wasn’t really clear what the alert was about. It turns out that it was for a vulnerability that was indentified and patched by Digum 9 months earlier. IC3 issued an updated buliten shortly after describing the issue a little better which can be seen here
I’m still seeing this alert being used to try and discourage people from using Asterisk but as far as I can see it’s just a normal security warning that was quickly identified and fixed by the software developer.
It allows you to call in to your Asterisk server, get a dial tone, and then dial back out as if you were using a normal extension on your system. I use this lots to make cheap international calls from my mobile phone.
You may also wish to route your DISA calls via A2Billing. If you’ve integrated FreePBX and A2Billing as described here it’s a simple case of changing one setting on your DISA setup in FreePBX.
I spent a little while playing with sipvicious today. This is a SIP scanner that can be used for scanning SIP servers – which obviousy includes Asterisk, Trixbox, Elastix, etc…
It’s not surpising that scanning for vulnerable SIP servers is on the increase – these sort of tools are really easy to use, and with the lure of making free phone calls at your expense it’s definitnely worth making sure that your PBX is secure.
Here’s what I did to scan one of my servers. The server is a Trixbox CE 2.6 server and I set up the following extensions for testing –